Regarding this:
Are passwords in memory?
So does someone have a good idea on how to securely store my passwords?
The: "passwords.txt" -> ctrl+c; ctrl+v a passw is not very secure.
I have passwords for various places, and they're very long random chars, which change too often.
Are there any good password manager apps, that can securely show passwords stored in them? (e.g.: really protects me from "bad people" getting passwords from memory?)

Btw, I realized that it is not clear from your question that you're asking about your own passwords, for other services, stored on your desktop (or laptop, or whatever) - as opposed to an application / service storing passwords for all registered users. Can you put that clarification in the question (assuming I understood correctly)?
–
AviD♦Apr 26 '11 at 18:12

But I don't think keepassx (and keepass also?) protects you from apps and web sites that can access your clipboard, as discussed in the question.
–
nealmcbApr 28 '11 at 22:08

Keepass is a great application and you should definitely use it not only to store your passwords, but also to generate them. Keepass has a configurable password generator (you can choose the length, the special characters to use and so on, and generate very strong passwords.
–
dSebastienMay 3 '11 at 18:52

If your "paranoid dial" is turned up all the way to 11, the short answer is "No".

No matter how you store your passwords, there will at some point be a transfer in memory that is a cleartext representation of some authenticator. That "cleartext" may be your ASCII password, or it may be a hash of it, but it will still be enough to independently validate your credentials to the recipient. This is because the authenticator has to be entered in its natural form, before the system can process it for hashing or encryption.

If your concern is about rootkits, malicious debuggers, and similar attacks, there's no method of password management or storage that can keep you totally safe.

The only real mitigation for this vulnerability is to have two-factor authentication, with one factor being a dynamic element of some kind (i.e.: RSA token or "callback" authentication), on everything. This way, no matter what static elements are captured from your memory, an attacker can never re-use your credentials without the dynamic authenticator.

Of course, there's still the possibility of side-channel attacks such as session hijacking and the like, but those are beyond the scope of this question.

For a more practical means of protecting your password, which will cover most defensible vulnerabilities, you're best served to go with a secure password manager such as KeePass or others like it.

Firstly let's get things in perspective: passwords are way too broken to obsess over to this extent. If loss of a password is intolerable then you probably shouldn't be using a password in the first place - look into using one time passwords, two factor authentication, certificate based schemes or similar.

After all, sooner or later you have to type the password into some client which you must trust (might not even be a computer you control, might be keylogged). Someone may see you enter the password. Not only that, but your password is almost certainly also processed and stored in a target system that is completely beyond your control - probably more than one if you reuse passwords across systems as most people do. All of the storage involved is almost certainly more vulnerable and much easier to compromise than the RAM in a trusted device that is under your physical control.

So your password(s) should be regarded as fundamentally disposable and unlikely to remain confidential for an extended period, no matter what you do.

Having said that, passwords aren't going away any time soon, so either use a number of passwords which you can remember yourself (e.g. have a few different passwords or passphrases and use them for sites of different value), or use a password manager or password generator/manager.

TOTAL REWRITE:
AviD's point was well taken - the first edition was for password storage on the server, not for a user storing his passwords on the client. Here's try #2.

If you're storing passwords for various sites, your application will need to:
- Store them securely
- Retrieve them accurately

So you can't just salt the passwords, you need a system that will encrypt them. That suggests that you might want to look into applications that are FIPS 140-2 compliant. There's 4 levels of FIPS, but it all focuses on cryptographic devices with key storage capabilities that offer various escalating security features. The lowest end is basic good practices that can be implemented in SW libraries, the upper end is devices that cost lots of money but offer a high confidence in the system's capability to protect itself. For a normal human, I would think FIPS 1 or 2 (the low levels) would be sufficient.

You could either write your own application using a FIPS compliant library (NSS is one, if you happen to be a Java geek), or look for applications that claim FIPS compliance in their crypto implementations.

No matter how you store the passwords, you're going to end up needing a key of some sort to decrypt them. That means you'll have the classic chicken and egg problem - how do you store the key securely so that your passwords are secure? Given that you have lots of passwords grouped in one place, you've increased the security demands on key storage. My thought would be to either memorize the key, or store it in offline storage.

You properly note not only the danger of storing passwords in plain text, but also of using copy/paste to move them around.

In our question on Is clipboard secure?, Guillaume's answer notes that many apps and web sites have access to your clipboard, and that Password Safe avoids that by letting you drag-and-drop the password to the web page on which you want to enter it. It also quickly wipes the password from memory.

there's a cut-and-paste mechanism that clears the clipboard after 12 seconds, and it monitors the clipboard to see if there's other processes monitoring it as well. Further, there's an auto-type feature that skips the clipboard altogether.

Welcome to the site. Your suggestion is good for generating passwords, but this question is about storing them. Perhaps you could expand your answer to include some solutions for that?
–
IsziApr 26 '11 at 14:27

1

Sridharan I just want you to know that Steve Gibson is on attrition.org Have a look!
–
KilledKennyApr 26 '11 at 19:16

@Iszi: Apologies! I am just learning how to use StackOverflow.
–
LegolasApr 26 '11 at 20:14

@WZeberaFFS - Aside from the connection to GRC, I'm not sure exactly what relevancy that comment has to this answer - let alone what actual value it adds to the discussion here.
–
IsziApr 28 '11 at 20:45

Note: Never trust a 3rd party on the internet to provide you with passwords. They might be weakly generated, they might decide to seed them maliciously, they might decide to search for sites where they are used and impersonate you....
–
AviD♦Jan 26 '14 at 19:37